First, thanks to Joseph Menn of Reuters for the article. Joseph is a great reporter. He asks intelligent questions, and clearly "gets it" in my opinion. I just wanted to add a little more to my part of the story.
The quotes provided… "We've got this cancer that is growing inside our critical infrastructure. When are we going to go under the knife instead of letting this fester?" and "We need to restructure some regulations and incentives." …were part of a larger conversation where many things were discussed. Everyone should know by now that Industrial Control Systems, in particular the legacy devices, are prone to security vulnerabilities. For example, in the article two of the researchers (Eric Forner and Brian Meixell) took less than 16 hours to find something worthy of a BlackHat talk.
This is not an issue for any one country or company. We all buy the same gear from the same vendors.
Everyone asks if regulation would make the situation better. The simple answer is no. Regulation - by itself - won't solve this problem. A good example would be the NERC CIP Standards. They are often credited with getting the security ball rolling for the electric sector. They may or may not ultimately lead to a more secure grid, but I can say for certain that we have seen some very real "unintended consequences" from the existing regulatory model for the electric sector in North America. Other countries and continents are watching what is happening here and basing their future choices on our lessons learned.
For those that don't fully appreciate our current regulatory construct, I'll keep it simple. With the existing Powers That Be, there is no way to regulate cybersecurity for the power grid end-to-end. There's no department, agency, bureau, commission or corporation with jurisdiction to cover all of it. So, we're left with a patchwork of rules from authorities that work together through a model that more closely resembles a bar-fight than a choir singing from the same hymnal. Sometimes this friction is actually beneficial. Sometimes it isn't. Either way, the utilities are left with the bill. And like most situations, money matters.
Which brings me to incentives. Somehow, we found a way to incentivize things like Smart Grid. To the tune of billions of dollars. We haven't done the same thing for cybersecurity. We need incentives for R&D so new security technologies can make their way from idea to product. We need incentives to upgrade to these new security technologies and get rid of the excuse that it costs too much to take an outage and replace hardware. We need incentives and assistance to train the next wave of cybersecurity professionals for the industry. We need incentives to share information between utilities so they can gain situational awareness from their interconnected peers (and the government, if they so desire) - in a way that won't put them in a legal pinch for doing so.
Through all of this, electric utilities are not just sitting on their hands when it comes to cybersecurity. There are dedicated, responsible, and profoundly smart people keeping the juice flowing. They do it every day. They fix it fast when it breaks. And they work just as hard to keep it secure. This is serious business for them. They are using the equipment they have, and yes, some of it is vulnerable to the types of attack you will see at BlackHat next week. Yet, they get the job done safely and at the lowest cost possible. So, the next time you flip the switch on the wall, remember that your local utility is harnessing one of the most powerful forces in nature and squeezing it down a skinny wire to your house so you can see in the dark, dry your jeans and toast a bagel.
Well, what's the solution? Sure, we could make those greedy, irresponsible vendors fix their vulnerable gear. And yes, that's a good start, but the utility can only upgrade so fast (don't forget about that whole "force of nature" thing -- you gotta work carefully and methodically around stuff like that). We could fix the regulatory model. Yeah, that's not a bad idea but remember we're not really set up for that. It would literally take an act of congress to make it happen - which isn't entirely out of the picture but I'm not holding my breath. We could throw money at the problem, but that will bring the carpetbaggers and crooks along for the ride. See my point? There isn't one silver bullet to solve this problem. Like brushing and flossing, like diet and exercise, it's going to take conversation and compromise. This is the hard road, but it's the right road and everyone knows it. They're just too lazy to do it right.
Join me. Grab a spoon, get your seat at the table and let's eat this elephant in the room together. It's not going to taste good. It's not going to be over quick. But we won't get past it until we decide to do it together. I'll bring the Bourbon and sarcasm to help wash it down.